[imp] Emptying trash logs you out ... URL problem

[Barry Pederson]

On our server running IMP 3.2  we found that if you log into IMP, and try to 
empty the trash before doing anything else, you'd be logged out with a 
session expired message.  If you read messages, or went to other pages such 
as folders or options, it seemed like you could empty trash OK.

After digging into this, I think it's turned out to be some kind of URL 
encoding problem, that's making the session ID unreadable in the page you're 
redirected to after the trash is emptied.  I don't think it's a 
trash-specific problem though.

What I've been able to track down is: the URL for the "Empty trash" icon is 
generated in imp/templates/menu/menu.inc - one small fragment of code you'll 
find there is:

      '&return_url=' . urlencode(Horde::selfURL(true))

The return_url seems to be HTML-Escaped (by Horde::selfURL()?), so part of 
the URL for the empty trash icon ends up looking something like:

&return_url=/horde/imp/mailbox.php?mailbox=INBOX&Horde32=72fbf75afea48769c94a8213ad833b56

    ----------
    Notice the & between "INBOX" and my session identifier "Horde32" ***
    ----------

The code in imp/mailbox.php that handles the EMPTY_MAILBOX action simply has:

      if ($url = Horde::getFormData('return_url')) {
          header('Location: ' . $url);
          exit;
      }

The return_url never gets un-HTML-Escaped, so the URL the client is 
redirected to contains a single parameter "mailbox" with the value 
"INBOX&Horde32=72fbf75afea48769c94a8213ad833b56", and the session 
parameter isn't seen - so you get logged out.

My temporary fix was to insert a:

          $url = ereg_replace('&', '&', $url);

before the 'Location:' header is set to partially un-HTML-Escape that URL - 
but that doesn't do anything for other bits of code that also use 
Horde::selfURL().

I tried browsing through CVS to see if any fix for that particular problem 
had been made, but wasn't able to make anything out like that.

	Barry